Our favorite 5 hacking items

1. Podcast of the week

I loved watching this podcast! The story of Bull (@v0sx9b) is impressive: he’s a self-taught full-time bug bounty hunter since only 2016 and already making a lot of money. So it’s good to listen to his hunting philosophy and tips.

For example, he focuses on big bugs and doesn’t report small ones, but rather keeps them to chain them and report higher impact bugs. This way, he reports 6/7 bugs a month on average but with high criticality & reward.

Beginners corner

Writeups

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

evil-ssdp: Abusing SSDP/UPNP on Windows networks to phish inside Windows Explorer. How to spawn spoofed devices on machines across the LAN, tricking users into visiting a phishing page and capturing the NTLM hash.

Dangerous Methods: A Burp Suite Professional extension for finding the use of potentially dangerous methods/functions in Javascript, jQuery, AngularJS, and others.

I came across an interesting technique when working on @0x6D6172696F XSS challenge this year. I couldn't really find a direct reference to it anywhere, so I made a challenge: https://t.co/BtSs2xkh4j Your goal is to bypass the XSS auditor on up to date chrome and alert the cookie